August 8, 2022
Lebanon-based POLONIUM group targeted over 20 Israeli companies using Microsoft's OneDrive cloud storage platform.

Lebanon-based hackers linked to Iran’s government targeted Israeli groups: Microsoft

Microsoft has announced that it detected and disabled cyberattacks over the last three months from a group based in Lebanon with ties to the Iranian government targeting over 20 organizations inside Israel and one intergovernmental organization in Lebanon.

According to statement released on Thursday, the group named POLONIUM was working in coordination with Iran’s Ministry of Intelligence and Security “based primarily on victim overlap and commonality of tools and techniques.”

For the latest headlines, follow our Google News channel online or via the app.

Microsoft has suspended more than 20 OneDrive applications created by the POLONIUM group.

“Our goal with this blog is to help deter future activity by exposing and sharing the POLONIUM tactics with the community at large,” Microsoft’s blog post read.

The ties between Tehran and the hackers align “with a string of revelations since late 2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran’s plausible deniability.”

Earlier this week, FBI Director Christopher Wray revealed that the US foiled a cyberattack by the Iranian government against a children’s hospital in Boston, Massachusetts. The FBI head said it was “one of the most despicable cyberattacks I have ever seen.”

Detailing the attempts to target Israeli and Lebanese groups, Microsoft said POLONIUM had been focusing on critical manufacturing, IT, and Israel’s defense industry since February of this year.

Microsoft also said that an IT company was used to target a downstream aviation company and a law firm in one incident.

“Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a POLONIUM tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access,” Microsoft revealed. “This blog will also expose further details that show Iranian threat actors may be collaborating with proxies to operationalize their attacks.”